Author Topic: AR boot scan (solved)  (Read 12919 times)

0 Members and 1 Guest are viewing this topic.

Avaster

  • Guest
AR boot scan (solved)
« on: August 28, 2008, 11:20:01 AM »
I found this Anti-rootkit log file. Seems that 'Anti-rootkit scan' run at Windows boot-time. Is there a way to disable it?

Edit: Found solution here: http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=303&ratingconfirm=1
« Last Edit: August 28, 2008, 11:38:08 AM by Avaster »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86543
  • No support PMs thanks
Re: AR boot scan (solved)
« Reply #1 on: August 28, 2008, 04:27:49 PM »
You don't mention why you want to do this ?

It isn't run at boot, but 8 minutes after boot to enable any boot activity to complete, allowing a comparison to be made against what is actually running and what is reported as running.

If you found the C:\Program Files\Alwil Software\Avast4\DATA\log\aswAr.log you will also have found that the scan takes seconds, my last one took 3 seconds (start time at top and finished time at the bottom of the report).
What did yours report ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Avaster

  • Guest
Re: AR boot scan (solved)
« Reply #2 on: October 28, 2008, 02:00:09 PM »
Btw, does Avast alarm right away, if there's some hidden entries found on that AR "boot" scan?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86543
  • No support PMs thanks
Re: AR boot scan (solved)
« Reply #3 on: October 28, 2008, 02:07:11 PM »
Yes it would normally alert if a clearly recognised or suspect rootkit/hidden file is found, so the old adage, no news is good news, sort of applies.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Avaster

  • Guest
Re: AR boot scan (solved)
« Reply #4 on: December 13, 2008, 12:20:39 PM »
Today this AR scan alerted me for the first time.  It said that a hidden file was found - C:\Windows\system32\process.exe. I have a file like that in my system32 directory, but it's not a hidden file, nor a running process. It's a command line process utility from Beyondlogic.com. It's sometimes treated as a virus file. Was Avast really meaning this file? I ignored it, and after that i scanned my system with Malwarebytes' Anti-Malware and with F-Secure Blacklight rootkit detector, but nothing was found. Should i be worried?

YoKenny

  • Guest
Re: AR boot scan (solved)
« Reply #5 on: December 13, 2008, 12:39:51 PM »
Today this AR scan alerted me for the first time.  It said that a hidden file was found - C:\Windows\system32\process.exe. I have a file like that in my system32 directory, but it's not a hidden file, nor a running process. It's a command line process utility from Beyondlogic.com. It's sometimes treated as a virus file. Was Avast really meaning this file? I ignored it, and after that i scanned my system with Malwarebytes' Anti-Malware and with F-Secure Blacklight rootkit detector, but nothing was found. Should i be worried?

I noticed the same thing and I think I sent it to be analyzed but I don't know if it did or not.

Avaster

  • Guest
Re: AR boot scan (solved)
« Reply #6 on: December 13, 2008, 12:44:06 PM »
Today this AR scan alerted me for the first time.  It said that a hidden file was found - C:\Windows\system32\process.exe. I have a file like that in my system32 directory, but it's not a hidden file, nor a running process. It's a command line process utility from Beyondlogic.com. It's sometimes treated as a virus file. Was Avast really meaning this file? I ignored it, and after that i scanned my system with Malwarebytes' Anti-Malware and with F-Secure Blacklight rootkit detector, but nothing was found. Should i be worried?

I noticed the same thing and I think I sent it to be analyzed but I don't know if it did or not.
Hi Kenny, i'm CeeCee. :) Well, i think it's just a false positive.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86543
  • No support PMs thanks
Re: AR boot scan (solved)
« Reply #7 on: December 13, 2008, 02:50:40 PM »
Well I have XP Pro SP3 and no such file on my system, there is qprocess.exe (Query Process Utility an MS file) in the system32 folder. I don't have any products from beyondlogic.com (that I'm aware of) so you should check it out fully. You should elect to have it analysed by avast if it alerts on your next AR scan, the more submissions on the same file the better the statistics about the detection...

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

This type of thing (if not beyond logic's command line process utility) could be trying to trick you into thinking it is a legit file.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Avaster

  • Guest
Re: AR boot scan (solved)
« Reply #8 on: December 13, 2008, 03:20:51 PM »
Well I have XP Pro SP3 and no such file on my system
I have downloaded it myself. I think it came along with SmitfraudFix. There's such a file in SmitfraudFix folder too. The file creation date is the same.
« Last Edit: December 13, 2008, 03:22:46 PM by Avaster »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86543
  • No support PMs thanks
Re: AR boot scan (solved)
« Reply #9 on: December 13, 2008, 03:31:47 PM »
Still worth investigating.

SmitfraudFix is a tool for removing rogue programs, so it may come with tools that could be detected as suspicious by the very way they work. Though RogurRemover, MalwareBytes AntiMalware and SAS are more commonly used for this purpose now. I would have though removal of smitfraudfix would clean up after it, so I don't know if that file would have been placed in the system32 folder.

The other issue is that this process.exe file is active and it would appear to be hidden, hence its detection.
« Last Edit: December 13, 2008, 03:34:00 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Avaster

  • Guest
Re: AR boot scan (solved)
« Reply #10 on: December 13, 2008, 05:10:10 PM »
The other issue is that this process.exe file is active and it would appear to be hidden, hence its detection.
You mean that it is a running program? I don't think that it is.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86543
  • No support PMs thanks
Re: AR boot scan (solved)
« Reply #11 on: December 13, 2008, 05:35:29 PM »
Well it has to be running or avast wouldn't find it in the anti-rootkit scan as it compares what is reported as running (with the various windows APIs) against what is actually running. That is how it determines what is hidden and how rootkits slip under the radar of the windows APIs).

So the one in system32 is active and as I said that might have nothing to do with SmitfraudFix .
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Rick F

  • Guest
Re: AR boot scan (solved)
« Reply #12 on: December 13, 2008, 07:03:52 PM »
Oops... deleted post as it was in wrong thread.  Sorry.  ::)
« Last Edit: December 13, 2008, 07:54:15 PM by Rick F »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86543
  • No support PMs thanks
Re: AR boot scan (solved)
« Reply #13 on: December 13, 2008, 07:52:40 PM »
It's all right saying it looks like it is part of smitfraud, looks can be very deceptive, since smitfraud is a stand alone tool that runs to do a scan and on completion its done. The URL of the VT results would have been better as it shows much more info than the partial image.

There should be no active elements always running, so I'm sorry I think this has nothing to do with smitfraud unless smitfraud was running, which it clearly isn't.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Avaster

  • Guest
Re: AR boot scan (solved)
« Reply #14 on: December 13, 2008, 08:18:34 PM »
I'm pretty sure that it is not anything serious. Not going to anything about it right now.